Based on what I’ve read from sources I trust in the tech press, here’s what I’m doing.
The short answer is: change your passwords.
Because security experts agree we should be changing our passwords regularly, in any case, this is easy advise to give. Like me, you probably don’t change them as often as the experts suggest. So, now is a good time to get off your butt and do it.
But what was the question?
This week you may have heard about the Heartbleed bug. You may be aware that some of your internet communications are encrypted, to protect the content of that communication. You may know that when a web address starts with “https" (note the letter S, for secure), all communication to and from the address is being encrypted. OpenSSL (a version of the universal SSL protocol) is used by the majority of “secure” web sites and services, including many that you probably use every day (including the web site you are reading now). Alas, it turns out the version of OpenSSL in widespread use for the last two years had an extremely serious security flaw this whole time. I’ll leave it to my favorite web comic to explain this breach with pictures.
So, the question most people have is: How serious a problem is this, really? And, more to the point, what should I do about it? Well, here’s what I’m doing about it.
First of all, if you have above average security concerns, you should be consulting serious security experts, not me. (And if you aren’t already on top of issues like this, your security is in serious jeopardy.) But for the rest of us…
The simplest answer I can give is: change your passwords. Everywhere.
THE EASY WAY:
Okay, that sounds like a pain in the ass, doesn’t? I know I have more accounts than I can count on more services than I remember. And I’ve got other shit to do. So, what am I really doing?
I’m starting with the most critical services I use, the ones where I’d be seriously screwed if someone hijacked or had access to my account. Just take a minute to think about how much you really depend on different services, and it’s probably obvious which are most important to you.
For example, I’ve already changed the passwords on my business and personal email accounts. Email accounts are particularly important, in no small part, because other services will use an emailed verification to confirm significant changes. Thus, control of your email account(s) give you, or a hacker, control of many other services.
From here on, as I have occasion to log into the other services that I consider important, I’m taking an extra minute to change my password on each of those accounts, as well. Conveniently, the accounts I use most often tend to be the ones I consider most important. So, by adding this extra step when I sign in, I’ll update most of my essential passwords over the coming days.
It’s important to also remember those services which do not prompt you for a password (because they “remember you”). Dropbox and other storage services comes to mind.
There are many more details to this question. A few that spring to mind…
There’s little point changing the password for an account until after that service has updated the security software on their web servers. But most of the well known services already have.
Not all servers use OpenSSL; plenty use different implementations of SSL encryption. (My hasty research suggests major banks don’t seem to use OpenSSL.) Nonetheless — especially if you use the same password on many different accounts — you should change your password everywhere, because it’s possible that password was stolen from another service that did use this buggy software.
We don’t yet know everything about this bug, nor about its hypothetical and actual consequences. This is breaking news, still being investigated. But I wrote this article mostly for people who won’t take the time to follow that news. And because, in the time you would spend reading more about this, you could actually be doing something about it.
So, change your passwords. Then maybe mark your calendar to change them again, sometime after the investigation and mitigation of this problem has played out in the tech sector.
If I learn anything which contracts the simplicity of this advice, I’ll post updates on Twitter and Facebook. As always, if you know more about internet encryption than I do, I welcome your corrections.
A RAID (a Redundant Array of Inexpensive Disks) is two or more hard drives connected together (usually inside the same enclosure) so that they act like a single bigger hard drive. There are several different kinds.
RAID 0, striped RAIDs, are for speed, striping (dividing) the data workload between two drives, kinda (vaguely) the way that two relay runners are faster than a single runner. Except that these two are circling the track and handing off the baton 7200 times per second!
RAID 1, mirrored RAIDs, are for on-the-fly backup purposes, protecting every bit of your data, right up until the second that one of its drives fails. It does this by saving everything twice, simultaneously, to two different drives. Because it is very unlikely both drives would fail at the same time, you should lose no data when one of them dies. Indeed, a mirrored RAID will keep working even when one of its two drives fails. They are a good choice wherever failure is not an option.
RAID 5 devices do more or less what a Drobo does. In theory, you just stick 3 or more bare hard drives into the box, and it does the rest, using them all. To you it will look like one big drive. But any one of those drives can die (or be removed or replaced) without any loss of data.
RAID 10 (RAID 1 + 0) uses four drives to both Stripe and Mirror all data. In other words it does both what a RAID 1 and RAID 0 do, all in one (big, expensive) box.
Clearly, different RAIDs are useful for completely different circumstances. Most off-the-shelf RAIDS can be configure as either striped or mirrored; while the models with 4 hard drive slots give you more options. But they all cost more than a single drive of comparable capacity.
Most people do not really need one at home — especially if they already use an effective backup strategy. For routine (and lower cost) data backup, I use and usually recommend other methods.
Though, theoretically, a small home network should be less complicated for private sharing and automatic backup of your files, in reality, I usually find Dropbox* to be the simpler and more reliable solution. With my files stored “in the cloud”, I can access them from any device and anywhere that I have an internet connection. And, when I don’t have an internet connection, Dropbox still has a copy of every file on each of my computers. I’ve been using Dropbox everyday for 4 years, now, and couldn’t be happier with it.
* This is a referral link. If you click it and install Dropbox on your computer, they will give you an additional 500 megabytes of free storage, and they’ll give me an extra gigabyte. Otherwise, it’s exactly the same as signing up for Dropbox's normal free account.